From bdda7387226ad5fcd887ecc2f664e9c03c51d70f Mon Sep 17 00:00:00 2001 From: Sven Hoexter Date: Tue, 2 Apr 2024 12:05:33 +0200 Subject: [PATCH] fix: provide a sensible example for a privateca Root CA example MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This one looks a lot like someone copied by accident the subordinate example out of `certificate_authority_subordinate/main.tf` as a root CA. Thus it contains a lot of values set which are outright invalid or not recommend for Root CA certficates if you consider RFC 5280 and CA/B Baseline Requirements as the standard to follow. Also the subordinate example is a bit odd, e.g. configuring SAN on any kind of CA certificate doesn't make sense. And the resources examples there make use of the same pool name. Align the lifetime to some practical values, 10years for a Root CA and 5years for a subordinate. Signed-off-by: Sven Höxter --- privateca/certificate_authority_basic/main.tf | 39 +++++++------------ .../certificate_authority_subordinate/main.tf | 39 +++++++------------ 2 files changed, 27 insertions(+), 51 deletions(-) diff --git a/privateca/certificate_authority_basic/main.tf b/privateca/certificate_authority_basic/main.tf index b362546d1..01bcc95fa 100644 --- a/privateca/certificate_authority_basic/main.tf +++ b/privateca/certificate_authority_basic/main.tf @@ -15,52 +15,41 @@ */ # [START privateca_create_ca] -resource "google_privateca_certificate_authority" "default" { +resource "google_privateca_certificate_authority" "root_ca" { // This example assumes this pool already exists. // Pools cannot be deleted in normal test circumstances, so we depend on static pools - pool = "my-pool" - certificate_authority_id = "my-certificate-authority-hashicorp" - location = "us-central1" - deletion_protection = false # set to true to prevent destruction of the resource + pool = "my-pool" + certificate_authority_id = "my-certificate-authority-root" + location = "us-central1" + deletion_protection = false # set to true to prevent destruction of the resource + ignore_active_certificates_on_deletion = true config { subject_config { subject { - organization = "HashiCorp" + organization = "ACME" common_name = "my-certificate-authority" } - subject_alt_name { - dns_names = ["hashicorp.com"] - } } x509_config { ca_options { - is_ca = true - max_issuer_path_length = 10 + # is_ca *MUST* be true for certificate authorities + is_ca = true } key_usage { base_key_usage { - digital_signature = true - content_commitment = true - key_encipherment = false - data_encipherment = true - key_agreement = true - cert_sign = true - crl_sign = true - decipher_only = true + # cert_sign and crl_sign *MUST* be true for certificate authorities + cert_sign = true + crl_sign = true } extended_key_usage { - server_auth = true - client_auth = false - email_protection = true - code_signing = true - time_stamping = true } } } } - lifetime = "86400s" key_spec { algorithm = "RSA_PKCS1_4096_SHA256" } + // valid for 10 years + lifetime = "${10 * 365 * 24 * 3600}s" } # [END privateca_create_ca] diff --git a/privateca/certificate_authority_subordinate/main.tf b/privateca/certificate_authority_subordinate/main.tf index b15bbdd6e..975b7941b 100644 --- a/privateca/certificate_authority_subordinate/main.tf +++ b/privateca/certificate_authority_subordinate/main.tf @@ -16,6 +16,8 @@ # [START privateca_create_subordinateca] resource "google_privateca_certificate_authority" "root_ca" { + // This example assumes this pool already exists. + // Pools cannot be deleted in normal test circumstances, so we depend on static pools pool = "my-pool" certificate_authority_id = "my-certificate-authority-root" location = "us-central1" @@ -24,12 +26,9 @@ resource "google_privateca_certificate_authority" "root_ca" { config { subject_config { subject { - organization = "HashiCorp" + organization = "ACME" common_name = "my-certificate-authority" } - subject_alt_name { - dns_names = ["hashicorp.com"] - } } x509_config { ca_options { @@ -43,7 +42,6 @@ resource "google_privateca_certificate_authority" "root_ca" { crl_sign = true } extended_key_usage { - server_auth = false } } } @@ -51,12 +49,14 @@ resource "google_privateca_certificate_authority" "root_ca" { key_spec { algorithm = "RSA_PKCS1_4096_SHA256" } + // valid for 10 years + lifetime = "${10 * 365 * 24 * 3600}s" } -resource "google_privateca_certificate_authority" "default" { +resource "google_privateca_certificate_authority" "sub_ca" { // This example assumes this pool already exists. // Pools cannot be deleted in normal test circumstances, so we depend on static pools - pool = "my-pool" + pool = "my-sub-pool" certificate_authority_id = "my-certificate-authority-sub" location = "us-central1" deletion_protection = false # set to true to prevent destruction of the resource @@ -66,12 +66,9 @@ resource "google_privateca_certificate_authority" "default" { config { subject_config { subject { - organization = "HashiCorp" + organization = "ACME" common_name = "my-subordinate-authority" } - subject_alt_name { - dns_names = ["hashicorp.com"] - } } x509_config { ca_options { @@ -81,28 +78,18 @@ resource "google_privateca_certificate_authority" "default" { } key_usage { base_key_usage { - digital_signature = true - content_commitment = true - key_encipherment = false - data_encipherment = true - key_agreement = true - cert_sign = true - crl_sign = true - decipher_only = true + cert_sign = true + crl_sign = true } extended_key_usage { - server_auth = true - client_auth = false - email_protection = true - code_signing = true - time_stamping = true } } } } - lifetime = "86400s" + // valid for 5 years + lifetime = "${5 * 365 * 24 * 3600}s" key_spec { - algorithm = "RSA_PKCS1_4096_SHA256" + algorithm = "RSA_PKCS1_2048_SHA256" } type = "SUBORDINATE" }